Good day! A few weeks ago, we had a security breach in the company I'm working for, because employees used "ssh -R" to expose systems from our internal network to some SSH server in the outer world. Of course, this is a breach of our internal security policy, but lead us to wonder, whether there is a technical solution to prevent our users from creating SSH-reverse-tunnels. After a lot of googleing, there seems to be no option for the system-wide client config that would do the trick nor any other suitable solution. (Watching ps is not sufficient, as the users can also specify reverse tunnels in their client config or create them from an already existing connection.) Is it possible to achieve this without nasty workarounds like wrapper scripts monitoring the very-verbose output of SSH or doing DPI? Alternatively, would it be possible to add a config option, allowing an administrator to disable reverse port forwarding or limit it's destinations? Thank you in advance, Jan Bergner -- ________________________________________ *Jan Bergner, M.Sc. * Software Engineer *indurad GmbH* *The Industrial Radar Company* Belvedereallee 5 52070 Aachen, Germany Office: + 49 241 538070-61 Front Desk: + 49 241 538070-0 Fax: + 49 241 538070-99 jan.bergner@xxxxxxxxxxx www.indurad.com <http://www.indurad.com/> _______________________________________
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev